The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Friday, April 05, 2013

Plugin: EMDMgmt

Shortly after announcing the RegRipper consolidation, Corey hit me with a great idea...why not create a series of posts to spotlight a particular plugin, explain what it does, how it can be used, etc. I thought that this was a great idea, and told him that I would join in, so you can expect to see posts from both of us every now and again, in which we discuss a specific plugin. Once these posts start to appear, I will add them as links to a page on the RegRipper Wiki. If anyone else decides to write a similar post, please send me the link and I'll add it to the page.

The first plugin that I thought I'd take a look at is emdmgmt.pl. "EMD" apparently stands for "external memory device", which was the working name of ReadyBoost while it was being developed. When you connect a device to a Vista+ system, the ReadyBoost service checks the device to determine its characteristics and stores this information beneath the following key:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Emdmgmt

This key gets populated with subkeys that refer not just to thumb drives connected to the system, but also external drives, sometimes referred to as "drive enclosures" (which, of course, has to have a drive in it). It appears that ReadyBoost performs some sort of "check" of the device in order to determine it's capabilities and see if it's suitable for use.

This plugin is useful for two primary reasons. First, it's a great way to verify that certain types of devices (thumb drives, external drives) had been connected to the system at one point. This can be validated against other sources of information (System hive, etc.).

The other useful aspect of information stored in this key applies specifically to thumb drives. In particular, the subkey that applies to a thumb drive contains the device class identifier, the device serial number, the volume serial number, and possibly the volume name (if the mounted volume has a name). For example,

This is clearly a Best Buy Geek Squad U3 thumb drive that I connected to my system. That I really like about this is the volume serial number that's listed in the output. This is translated from the information maintained at the very end of the key name. I've used this information to correlate to VSNs stored in Windows shortcut/LNK streams (shortcuts in the user's Recent folder, Jump Lists), allowing me to tie the various artifacts together in order to demonstrate not only that a particular user accessed the thumb drive, but to also demonstrate what the file system on that device looked like at the time that the user accessed it. I can then further augment this information with the output of the comdlg32.pl and shellbags.pl plugins.